ID. Date of interview 
date 42/92/20 


ID. Time interview started 
start 12:49:48 


ID.end Completion date of interview 
Date 42/02/20 


ID.end Time interview ended 
14:30:55 


ID. Duration of interview 
time 101.12 


new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 
O Yes 
© No 


©) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


1. The ICO's procedure for investigating complaints around subject access requests. What level of 
‘evidence’ and records is expected, or to what extent are opinions/ sanctions made on a judgement call of 
the case workers? How long should proof of compliance / application of exemptions information be 
retained? Is the approach taken in each case uniform? 2. We think the final paragraph on page 76 
around compensation poses more questions than it answers, and will cause concern to a lot of small 
organisations not familiar with legal processes. 3. Law enforcement processing is clearly carved out, but 
some help as to how to handle data created by law enforcement bodies for law enforcement purposes 
which is in the filing systems of non law enforcement bodies, which is very commonplace, would be 
useful. For example, emails, reports, evidence exchanged by an organisation regarding a related data 
subject for police purposes when cooperating with an investigation or the requests of a law enforcement 
officer. These fall under scope of SARs, but the law enforcement provisions won't apply. If the police 
forbid disclosure, even if the investigation in question is closed, but, for example, a suspect might still be 
potentially dangerous, and information might be sensitive, or involve safeguarding as opposed to strictly 
criminal issues, where does that leave an organisation? 4. Management information. To what extent can 
the exemption apply to historic restructures as opposed to impending ones? 5. Functions designed to 
protect the public. Further guidance around ‘function of a public nature or exercised in the public interest' 
would be beneficial. Specifically, a lot of charities/ volunteer organisations hold data on individuals for the 
purpose of protecting the members of the public they work with (again, regarding issues such as 
safeguarding, ASBOs, aggressive behaviour towards their staff) which, if disclosed, would prejudice the 
purpose of processing. Is this 'public interest’? 6.On page 44, in the second bullet under ‘are there any 
other relevant factors’ we find that quite often the third parties known to individuals are most likely to be at 
risk of harm or distress if their data/ information identifying them is disclosed. For example, in grassroots 
sports club scenarios, where all individuals involved live in the same geographical location, and emotions 
are known to be easily heightened. 7. On page 41, can a delay of a third party responding re their 
consent constitute complex for the purpose of extending the deadline? 8. Page 30 explains the right of 
access. A lot of individuals still misunderstand this right, so we think this needs further explanation and 
emphasis, that a data subject isn't entitled to everything that his name is on, or every email he ever sent 
during 20 years as an employee, for example. 9. The information on page 25 at the minute reads as 
quite contradictory, and isn't particularly clear. This is a huge area of uncertainty at present, so further 
detail here would be useful. There has been to this point, following previous ICO guidance, that 'beyond 
use’ data was sufficiently 'deleted'. Many systems still simply don't allow true deletion of all data. 
Searches of beyond use data are often beyond the capability and sometimes comprehension of SMEs. 
Examples of approved ‘deletion’ solutions would help. 


Q3 


Does the draft guidance contain enough examples? 
-) Yes 


© No 
©) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


More examples would be useful of: Manifestly unfounded / vindictive requests/ requests as part of a 
campaign, or that amount to bullying; Balancing the rights of third parties in mixed data requests (a 
safeguarding investigation example would be great! What about children, or internal employee 
conversations where all have to continue working together?); Examples of ‘public interest’ and ‘seriously 
improper conduct' for the exemption of ‘functions designed to protect the public’; The types of information 
in personal devices that falls under a SAR, and when and to what extent an organisation can mandate it 
be searched; When emails constitute personal data, and when they don't, such as employees’, a 
customer's complaint; and No enforcement taken cases, and why (page 22). 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 

range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


Moderately 4 — Very 
useful useful 


© ©) 


1-Notatall 2 — Slightly 5 — Extremely 
useful useful 


useful 


Q6 


Why have you given this score? 


It covers most of the repeat questions we get. In parts more detail would be helpful, 
as would emphasising the point that the legislation intentionally has room for 


manoeuvre, and organisations should be exercising their own discretion and 
judgement when applying exemptions. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 
Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


(Re page 41) We have issues determining confidentiality, in documents such as tip 
offs, witness statements (formal or informal), behavioural concerns correspondence, 
emails marked as 'personal', etc., where there is an implied expectation of 
confidentially. Regarding clarifying requests, we feel strongly that time shouldn't 
run, especially if a data subject won't cooperate. If the response comes back and is 
vastly different (eg. for one document, when you have commenced searching all 
data) then potentially huge amounts of time and money may have been wasted. 
This guidance does not address the principle of proportionality. For small 
organisations, the whole SAR process is both cumbersome and (often fatally) 
expensive, to run searches, manually filter the personal data, and engage the legal 
support needed to advise on exemptions. Often subjects know and are exploiting 
this, but it is a risk to rely on manifestly unfounded if there is no evidence of a 
subject's motives. (Re page 44) In the second bullet point paragraph, the concept 
of ‘significance’ is subjective and hard to determine. The education data section is 
particularly clear and helpful. Responding to SARs containing aggressive or abusive 
language is often contrary to an organisation’s general policy, and sets a dangerous 
precedent, as ultimately campaigns containing such language can amount to 
harassment. If a subject states an interest in accessing their data, but you know 
this to be untrue, they have easily undermined your ability to rely on the manifestly 
unfounded exception. How can this exception ever be clear when a data subject 
doesn’t have to explain their reasons for a request? (Page 10). Determining whether 
a request is manifestly unfounded is therefore always risky for an organisation, and 
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Are you answering as: 

C) An individual acting in a private capacity (eg someone providing their views as a member of the public) 
(`) An individual acting in a professional capacity 

© On behalf of an organisation 

€ ) Other 

Please specify the name of your organisation: 

Muckle LLP 


What sector are you from: 


Commercial law practice 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


